Hackers to probe cyber crime defences at British banks

LONDON (Reuters) – In the next few months hackers will try to penetrate the cyber defences of Britain’s major banks and steal information about millions of customers. But for once they’ll be welcome.

Banks are on red alert after cyber criminals obtained details of 83 million clients from JPMorgan Chase this year and Britain’s leading lenders have signed up for tests that let teams of certified hackers attack at will.

The cyber war games will mark a major escalation in how banks test defences in a high-stakes battle with criminals.

“It’s the first time that banks are having their systems tested for security threats in a live environment as opposed to a simulated or isolated one,” said Stephen Bonner, a partner in the cyber security team at KPMG.

Cyber crime costs the global economy $445 billion a year and the bill is rising, according to the Center for Strategic and International Studies (CSIS), which said it damages trade, competitiveness and innovation across industries.

Banks are particularly vulnerable, despite spending hundreds of millions of dollars a year on cyber defences. Increasingly sophisticated criminals are trying to steal money or client data, cause havoc in financial markets or score political points.

“A defender has to block every possible route of entry and the attacker only has to find one. That’s the position the banks are still in, the world is so connected now they have to look in every direction to protect themselves,” said Paul Docherty, technical director at Portcullis Computer Security, a consultancy which has been accredited to run the tests.

The Bank of England is behind the initiative. In June, it outlined a new framework called CBEST for handling the growing cyber threat.

It includes sharing intelligence from government agencies such as Britain’s GCHQ with companies, and encouraging more intense testing of financial institutions.

In the first such move by a leading central bank, the Bank of England will set the guidelines but leave banks to agree with the firms carrying out the tests how far their “attack teams” can infiltrate bank systems.